There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.
If this question can be reworded to fit the rules in the help center, please edit the question.

My experience using Scalp is that its output contains a lot of false positives and is missing a lot of true positives. It also doesn't distinguish between successful attempts and unsuccessful attempts. Both of these are controlled by the default_filter.xml file that comes from the PHP-IDS project so it should get better as that set of filters is improved. That said, using it was much better than trawling through the log files by hand. Parsing the log file was also quite slow although I understand they are rewriting it in C now which might help.
–
LadadadadaNov 18 '11 at 17:20

@Mohamed Any idea of where I can find a list of attack patterns for detecting attacks in apache logs please. Those you mentioned are great for starting, but any others?
–
user1724140Mar 24 '13 at 12:53

As Ams noted, log analysis won't cover all attacks and you won't see parameters of POST requests. However, analyzing logs for POST requests sometimes is very rewarding.

Specifically, POSTs are popular for sending malicious code to backdoor scripts. Such backdoors can be created somewhere deep in subdirectories or a backdoor code can be injected into a legitimate file. If your site is not under a version control or some other integrity control, it may be hard to locate such backdoor scripts.

Here's the trick:

Scan your access logs for POST
request and compile a list of
requested files. On regular sites,
there shouldn't be many of them.

Check those files for integrity and
legitimacy. This will be your white
list.

Now regularly scan your logs
for POST request and compare
requested files with your white list
(needless to say you should
automatize this process). Any new
file should be investigated. If it
is legitimate - add it to the
whitelist. If not - investigate the
problem.

This way you'll be able to efficiently detect suspicious POST request to files that normally don't accept POST requests (injected backdoor code) and newly created backdoor files. If you are lucky, you can use the IP address of such requests to identify the initial point of penetration or you can simply check log around that time for suspicious activity.

"Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET"

Try LORG -> https://github.com/jensvoid/lorg. It has different detection modes (signature-based, statistics-based, learning-based), some nice features like geomapping, DNSBL-lookups and robot detection (= was the attacker a man or a machine?).

It can make a guess on the success of attacks by looking for outliers in the 'bytes-sent' field, HTTP response codes or active replay of attacks.